Computer networks, such as corporate Local Area Networks (LANs), are vulnerable to being compromised by both unauthorized and authorized clients. Although an unauthorized client poses a clear threat of malice, an authorized client may also compromise the network, for example, if the client is infected with a virus, invaded by spyware or other tracking threat, running software that is not up-to-date, or performing unauthorized actions. This vulnerability is present in both wired and wireless networks. The consequences of such vulnerabilities range in magnitude from the trivial—such as unauthorized clients tapping in to the network for free Internet access, corruption of files, and abuse of bandwidth—to the monumental—such as the large-scale theft of personal and financial information.
Efforts have been made to manage computing environments by keeping track of and upgrading computer equipment and various levels of operating systems and applications. To this end, tools exist for auditing a network in order to determine the existence and status of both hardware and software such as the number of systems, the existence of patches, and the versions of software. Such audits can be continuous, for example by use of a daemon. Alternatively, an audit can take just a snapshot of the then-existing state of the network. Such audits can be active, for example by broadcasting queries, or passive, for example by sitting on a network switch and “sniffing,” gathering information from passing network traffic. These efforts, though, do not control access to the network. At best they can identify a problem.
Other current preventative measures include software and hardware devices that attempt to control access to the network by, for example, denying access to unauthorized clients, denying access to authorized clients without current software, and denying requests from clients that exceed the client's authority.
Existing solutions also include certain standards, such as the IEEE 802.1X standard, designed to enhance the security of networks such as Ethernet, Token Ring, or wireless LANs. Such standards segment unauthenticated clients or network devices to a virtual LAN (VLAN) during the process of authentication, effectively quarantining the unauthorized user. Numerous authentication mechanisms exist, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. While in such a quarantined state, the client has the ability only to send information concerning its identity to an authentication server.
Certain other limited solutions exist that are more automated than the above-described solutions. For example, patch management software is available that will automatically check the existing version of a software patch when a client logs on to the network, and install the most current patch if appropriate. Additionally, anti-virus software is available that will automatically check the existing version of a client's anti-virus software upon logon to the network, and update to the current version if necessary. Also, devices and software such as a firewall can eliminate or limit clients' ability to perform certain functions, such as instant messaging, streaming video, or streaming audio.
These solutions are costly and insufficient, though, in several ways. For example, they each apply only to one discrete vulnerability of the network. Additionally, an individual network administrator's ad hoc policy decisions may differ from the corporation's stated policy, for example, a network administrator might give a co-worker privileges to download music via the corporate network even though such action is prohibited by corporate policy. Moreover, the above solutions are a patchwork attempt to perform a critical function. There may be both known and unknown holes in the patchwork, exposing the network to threats from all sides.
Thus it is desirable to achieve improved overall network security and control.